COMMAND

	phPay XSS, path disclosure, phpinfo()

SYSTEMS AFFECTED

	v2.02 and possibly older versions

PROBLEM

	In    ALPER    Research     Labs     Security     Advisory     ARL03-A16
	[http://www.olympos.org/]:
	
	phPay  is  an  ecommerce,  webshop  and  catalogue   system   for   PHP4
	&MySQL. It supports several languages and  includes  many  functions
	for an online shopping area.
	
	Multiple  path  disclosure,  information  leakage  and  a   Cross   Site
	Scripting problem exist within "phPay v2.02".
	
	
	 1. Cross Site Scripting vulnerability in search.php
	 ====================================================
	
	Example:
	
	http://[TARGET]/search.php?sess=your_session_id&lookfor=<script>alert(document.cookie)</script>
	
	
	 2. Path disclosure vulnerability, when a non-existent language is selected.
	 ===========================================================================
	
	Example:
	
	http://[TARGET]/login.php?
	sess=your_session_id&abt=&new_lang=99999&caller=navlang
	Output:
	>Fatal error: Failed opening required 'lang/.inc.php'
	>(include_path='.:/usr/share/php') in /home/web/html/phpay/lib.inc.php on
	>line 10
	
	
	 3. Path disclosure in start.php 
	 ===============================
	when pointing to a non existent file, this might  also  allow  inclusion
	of arbitrary remote files.
	
	Example:
	
	http://[TARGET]/start.php?config=alper.inc.php
	Output:
	>Fatal error: Failed opening required './alper.inc.php'
	>(include_path='.:/usr/share/php') in /home/web/html/phpay/start.php on
	>line 17
	
	
	
	 4. phpinfo()
	 ============
	
	You  may  stop  by  and  watch  the   phpinfo();   for   the   site   in
	/admin/phpinfo.php
	
	
	 5. Path disclosure in /doc/addon-index.php 
	 ==========================================
	
	because of an extra ../ in the include path.
	
	
	 6. Several other path disclosure
	 =================================
	
	Several other path disclosure vulnerabilities when scripts  and  include
	files are directly called.
	
	Examples:
	
	detail.php, fpass.php, header.inc.php, main.php, nav.php, pay.php,
	payed.php, publicpay.inc.php, reguser.php, search.php, server.php,
	view_cart.php, lib.inc.php, show_size.inc.php, limit.navi.inc.php,
	mailer.inc.php, show_cart.inc.php, stats.php, show_color.inc.php,
	show_content.inc.php, show_item_0.inc.php, show_item_1.inc.php,
	show_item_x.inc.php, show_item_2.inc.php
	
	
	 7. Some more path disclosure vulnerabilities in the "admin" directory.
	 =======================================================================
	
	

SOLUTION

	A new version  which  addresses  the  listed  vulnerabilities  has  been
	released.
	
	http://sourceforge.net/projects/phpay